01:43 PM

Weird 'Ghost Spam' Testing Addresses

The messages are unusual because the message body is a mix of HTML and apparently random numbers. Security researchers say it's probably some hackers testing their mailing lists, meaning an attack may be in the offing.

A wave of strange e-mails with strings of numbers as their only message are most likely a spammer's or hacker's test of his mailing list, several security companies concluded Thursday, and may presage a junk mail campaign or a malware attack.

The messages, which Panda Software characterized as "ghost mail," are unusual in that the send and from fields are the recipient's own address, that the subject heading is a number -- 455, 557, 56757, 586876, or 1545453 -- and the message body is a mix of HTML and apparently random numbers.

Unlike most malicious mail or spam, these do not include a file attachment (the usual way e-mail is used to deliver worms or Trojan horses), nor do they include an embedded link, as do phishing messages.

"The most likely scenario is that a group of hackers are checking the validity of e-mail address databases," said Luis Corrons, director of Panda's research, in a statement. "By sending these messages they can determine if the addresses are active or not and remove those that are no use."

If that's the case, Corrons went on, it implies that the cyber crook is cleaning up list mailing list prior to sending phishing spam or to distribute known or unknown malware.

Rival security company Symantec provided more detail in an alert issued to customers of its DeepSight Threat Management System.

In the warning, Symantec researchers said that the messages were being cranked out by a new version of "Tooso," a Trojan first discovered in February 2005.

"Tooso, like many other families of malicious code, contains an update mechanism that consists of polling a set of hardcoded URLs for a file to be downloaded and executed," Symantec wrote in its alert. "Shortly before these spam messages were received, the Tooso author made an update live on several of the URLs that Tooso has been polling."

Symantec's researchers said that they had confirmed that the new Tooso generated spam in the number-based format of the mail wave.

"It is clear that Tooso is attempting to verify harvested email addresses," the warning continued. "Upon infection, it is polling a several web sites for email addresses to test. It then attempts to spam these addresses, and reports all addresses that did not result in an SMTP error to another script."

Users of Gmail -- the free e-mail service run by Google -- have theorized that the attack was directed at them since because the mail is spoofed to appear to be from the recipient, it's slipping past the filters and ending up in the "Sent messages" folder.

Symantec countered, saying that it was unlikely because the spam is also being received by non-Gmail users.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 21, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.